Hi,
I am moving away from an old iptables linux box firewall setup I had going on and was trying to replicate the setup on a SSG 5. I currently have a /29 IP range from my DSL provider which I can get working easy enough using a PPPoE profile mapped to an interface. I can also setup all of the NAT/DMZ bits that I had before but the one part I can't work out is how to give another device on my network an IP in my untrust range.
On the linux box I created a bridge device, bound two NIC's to it and enabled proxy arp. I have tried to replicate this on the SSG5 but to no success.
For this example lets say I was given 100.1.1.1/29, I use .1 as the SSG 5 untrust IP and .2 as my extra device IP.
Currently I have configured a bgroup0 which uses e0/3 and e0/4. I have my DSL modem connected to e0/3 and the PPPoE profile mapped to the bgroup0 interface. This works fine. I then plug in my other network device to e0/4 and assign it an IP from the static range.
If I run a get arp on the SSG5 I see the IP and MAC address of the device being listed in it's arp table. I can't however ping it from the SSG5 or from the other device going back to the SSG5.
I added an Untrust Intra-Zone policy which just says any -> any allow and log. I can see log entries being generated here.
I guess the first question is can the SSG5 handle the setup I'm trying to achieve? If so am I going about it in the correct way? I know I can subnet out the /29 range and route traffic to another interface but then I'd loose an extra IP of the 5 available as another gateway. Also I'd like to do this without any NAT at all if possible.
I ran a debug of a ping from .1 going to .2 and it looks like the packet just goes round in circles!
Thanks
: in <bgroup0>, out <N/A>
chose interface bgroup0 as incoming nat if.
flow_first_routing: in <bgroup0>, out <N/A>
search route to (bgroup0, 100.1.1.1->100.1.1.2) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 0 for 100.1.1.2
add route 26 for 100.1.1.2 to route cache table
[ Dest] 26.route 100.1.1.2->100.1.1.2, to bgroup0
routed (x_dst_ip 100.1.1.2) from bgroup0 (bgroup0 in 0) to bgroup0
policy search from zone 1-> zone 1
policy_flow_search policy search nat_crt from zone 1-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 100.1.1.2, port 13014, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 41/18/0x9
Permitted by policy 41
No src xlate choose interface bgroup0 as outgoing phy if
no loop on ifp bgroup0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <bgroup0>, out <bgroup0>
existing vector list 1-4519744.
Session (id:8047) created for first pak 1
flow_first_install_session======>
route to 100.1.1.2
bypass L2 prepare if, nsp ready.
ifp2 bgroup0, out_ifp bgroup0, flag 00002800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (bgroup0, 100.1.1.2->100.1.1.1) in vr trust-vr for vsd-0/flag-3000/ifp-bgroup0
cached route 27 for 100.1.1.1
[ Dest] 27.route 100.1.1.1->100.1.1.1, to bgroup0
route to 100.1.1.1
bypass L2 prepare if, nsp ready.
ifp2 bgroup0, out_ifp bgroup0, flag 00002801, tunnel ffffffff, rc 1
flow got session.
flow session id 8047
flow_main_body_vector in ifp bgroup0 out ifp bgroup0
flow vector index 0x1, vector addr 0x20f2a18, orig vector 0x20f2a18
post addr xlation: 100.1.1.1->100.1.1.2.
send out through normal path.
flow_ip_send: 5513:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20, vlan 0
send packet to traffic shaping queue.
flow_ip_send: 5513:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20020, vlan 0
pak has mac
Send to bgroup0 (150)
****** 04805.0: <Untrust/bgroup0> packet received [128]******
ipid = 21774(550e), @039e87b8
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:100.1.1.1/9464->100.1.1.2/1024,1(8/0)<Root>
existing session found. sess token 4
flow got session.
flow session id 8031
flow_main_body_vector in ifp bgroup0 out ifp N/A
flow vector index 0x1, vector addr 0x20f2a18, orig vector 0x20f2a18
post addr xlation: 100.1.1.1->100.1.1.2.
send out through normal path.
flow_ip_send: 550e:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x0, vlan 0
send packet to traffic shaping queue.
flow_ip_send: 550e:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (150)
****** 04805.0: <Untrust/bgroup0> packet received [128]******
ipid = 21779(5513), @039edfb8
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:100.1.1.1/9564->100.1.1.2/1024,1(8/0)<Root>
existing session found. sess token 4
flow got session.
flow session id 8047
flow_main_body_vector in ifp bgroup0 out ifp N/A
flow vector index 0x1, vector addr 0x20f2a18, orig vector 0x20f2a18
post addr xlation: 100.1.1.1->100.1.1.2.
send out through normal path.
flow_ip_send: 5513:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x0, vlan 0
send packet to traffic shaping queue.
flow_ip_send: 5513:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (150)
****** 04805.0: <Untrust/bgroup0> packet received [128]******
ipid = 21774(550e), @039ee7b8
packet passed sanity check.
flow_decap_vector IPv4 process
bgroup0:100.1.1.1/9464->100.1.1.2/1024,1(8/0)<Root>
existing session found. sess token 4
flow got session.
flow session id 8031
flow_main_body_vector in ifp bgroup0 out ifp N/A
flow vector index 0x1, vector addr 0x20f2a18, orig vector 0x20f2a18
post addr xlation: 100.1.1.1->100.1.1.2.
send out through normal path.
flow_ip_send: 550e:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x0, vlan 0
send packet to traffic shaping queue.
flow_ip_send: 550e:100.1.1.1->100.1.1.2,1 => bgroup0(128) flag 0x20000, vlan 0
pak has mac
Send to bgroup0 (150)